ddos / no connection tracking / tarpitting

Taylor Grant gtaylor at riverviewtech.net
Fri Apr 22 08:52:09 CEST 2005

> You *must* use the rule
> iptables -t raw -A PREROUTING -s -p tcp --sport 5678 -j NOTRACK
> as well, otherwise conntrack will pick up the reply packets from the
> TARPIT target.

Very good point.

More information about the netfilter mailing list